France tells Google to remove 'Right to be forgotten' search results worldwide
The French privacy watchdog has rejected Google's claim that the right to be forgotten should only apply to search results on its European websites.
France’s privacy regulator has rejected Google’s request that it just forget about a ruling extending the “right to be forgotten” to all Google’s websites, not just those with European domain names.
The decision requires Google to close a loophole that enabled searchers to defeat a judgment by the Court of Justice of the European Union (CJEU) last year.
The CJEU recognized the right to be forgotten in May 2014, allowing people to ask search engines to not display certain links resulting from a search on their name.
The CJEU case was triggered by a Spanish lawyer asking that Google no longer respond to a search on his name with links to a years-old administrative announcement in a local newspaper concerning the court-ordered auction of his property to pay debts.
While humans would happily forgive and forget a tax debt long repayed, or other errors of judgment such as drunken antics at a party, search engines make it easy for such information to resurface in milliseconds. The right to be forgotten isn’t about erasing such traces altogether—in the Spanish case, the courts ruled that the newspaper should not delete the original announcement—but merely about making them harder to find. There’s also a public interest exception so newspaper reporters, and ordinary citizens for that matter, won’t have to spend weeks combing paper archives for evidence of politicians’ past misdeeds.
Google complied with the CJEU ruling, removing certain results on request from searches performed on google.fr, google.co.uk and its other European sites, and even providing an online tool to make it easier for people to request removal of links to information about them.
However, it continued to display the disputed links in response to searches performed on google.com, giving anyone who wanted uncensored search results an easy way around the court ruling.
That annoyed the French National Commission on Computing and Liberty (CNIL), the country’s privacy watchdog, which in May this year ordered Google to conceal disputed search results across all its sites. Google has received tens of thousands of requests from French citizens asking it to forget search results about them, CNIL said.
Google filed an informal appeal against that order in July, arguing that the order amounted to censorship, would restrict the public’s right to information, and sought to extend French law outside French borders.
On Monday, CNIL turned down Google’s request, saying it considered Google’s various domain names merely as different paths to the same processing operation; limiting the right to be forgotten only to some domains would make it easy to circumvent.
CNIL also rejected Google’s accusation that it was going beyond its jurisdiction, saying that it just wants non-European companies to respect European laws when offering their services in Europe.
There seems to be little pressure on Google to comply: It took CNIL a year after the CJEU ruling to ask Google extend the right to be forgotten to google.com and now, four months later, it is merely threatening to appoint someone to report to its sanctions committee “with a view of obtaining a ruling on this matter.”
This case shows how little power the multiplicity of national privacy regulators have to defend the European Union’s 500 million citizens, and highlights the tangle of different legal regimes that hamper multinational companies hoping to serve them.
Those are two of the problems the European Commission hopes to solve with the introduction of the General Data Protection Regulation, the first update of the EU’s common legislation on privacy since 1995. The Commission, European Parliament and European Council could agree by the end of this year on a final legislative text, which would take effect by the end of 2017.
For companies like Google, the legislation would be a mixed blessing: On the one hand, it would only have to deal with a single European privacy regulator, but on the other it could face fines of up to 5 percent of its worldwide revenue for breaking the rules, rather than the derisory tens of thousands of euros it could be ordered to pay today.